Amazon WorkSpaces Secure Browser is a fully managed, cloud-native, Linux-based service designed to provide secure browser access to internal websites, software-as-a-service (SaaS) applications, and the public internet.
It operates by streaming encrypted pixels from a remote browser session hosted in the AWS cloud to the user’s existing web browser, ensuring that sensitive corporate data does not touch the end user’s device, thus reducing the risk of data exfiltration.
Amazon WorkSpaces Secure Browser enhances security by running a fully managed Chrome browser in the AWS cloud, streaming only encrypted pixels to the user’s device. This isolates sensitive data, preventing local storage and reducing risks of data leaks or malware. Each session uses a fresh, patched browser instance, destroyed after use, ensuring no persistent threats.
Here are its key features and benefits:
Security and Isolation: The browser and web content are isolated in the AWS cloud, using a disposable container to minimize the risk of browser-based attacks and data leaks. It supports enterprise browser policies, including URL allow/block lists, and session-level controls to restrict clipboard, file transfers, and printing. Access can be limited to trusted networks or devices via IP Access Controls.
Cost-Effectiveness: Starting at $7 per month per user, it eliminates the need for specialized client software, infrastructure, or VPN connections, making it more cost-effective than traditional virtual desktops. It supports bring-your-own-device (BYOD) initiatives, reducing hardware costs. Each user gets up to 200 streaming hours per month, with pay-as-you-go pricing and no upfront commitments. A free trial is available for up to 30 users for 3 months per AWS account.
Ease of Use and Setup: The service integrates with existing web browsers (Chrome, Firefox, Edge, Safari) and requires no additional software or VPNs. Administrators can set up a web portal in minutes via the AWS Management Console, configuring network settings, browser policies, and SAML 2.0 identity provider (IdP) integration (e.g., Okta, AWS IAM Identity Center) for single sign-on. Each session launches with a fresh, fully patched Chrome browser.
Use Cases: Ideal for remote/hybrid workers, customer support agents, back-office employees, and high-security environments (e.g., law enforcement, government, financial services). It supports secure access to internal portals, SaaS apps, and analytics on sensitive data while preventing unauthorized data exfiltration.
Monitoring and Compliance: Administrators can monitor sessions using Amazon CloudWatch for near real-time metrics and Kinesis Data Streams for user access logging. AWS CloudTrail tracks API calls for auditing. The service supports various security standards and compliance certifications.
This service leverages the same technologies as Amazon WorkSpaces and AppStream 2.0, offering a scalable, secure, and cost-efficient solution for organizations prioritizing data security and remote access. For more details, visit the AWS WorkSpaces Secure Browser page.
Administrators can enforce strict policies, restricting URLs, disabling clipboard, file transfers, and printing to prevent unauthorized data access. Integration with SAML 2.0 identity providers like Okta ensures secure single sign-on, while IP access controls limit connections to trusted networks.
Monitoring via Amazon CloudWatch and Kinesis Data Streams provides real-time session insights and user activity logs, with AWS CloudTrail enabling compliance audits. By eliminating VPNs and keeping data in the cloud, the service supports secure access to internal and SaaS applications, ideal for high-security industries.
